/>iThe United States continues to operate without a comprehensive federal consumer privacy law as the American Privacy Rights Act remains subject to further amendments and uncertainty. Consequently, nineteen states enacted comprehensive consumer privacy legislation, of which eight are becoming or have become effective in 2025, and some existing state privacy laws have been amended since their enactment. This fragmented approach creates compliance complexities and operational considerations for organizations operating at state and national levels.
Comprehensive consumer privacy laws taking effect in 2025
| Effective date | State comprehensive consumer privacy laws |
| January 1, 2025 | • Delaware Personal Data Privacy Act • Iowa Consumer Data Protection Act • Nebraska Data Privacy Act • New Hampshire Senate Bill 255 |
| July 1, 2025 | • Tennessee Information Protection Act |
| July 31, 2025 | • Minnesota Consumer Data Privacy Act |
| October 1, 2025 | • Maryland Online Data Privacy Act |
General requirements across each law
Each state law mandates distinct, jurisdiction-specific obligations on regulated organizations, which generally include the following:
Consumer rights: Each state law grants consumers certain privacy rights. While consumers’ privacy rights vary from state to state, consumers may be granted the right, subject to certain exceptions, to: (1) access, correct and delete data that an organization collects from or about them; (2) opt-out of further data processing; (3) the right to data portability and to direct the transfer of their personal information; and (4) the right to restrict and limit the use and disclosure of sensitive personal information.
Organizational compliance obligations: Each state law also imposes certain obligations on regulated entities acting as a data controller (i.e., an entity that controls the purpose and means of processing personal data) and data processors (i.e., third parties that process data under the direction and control of data controllers, such as service providers or vendors). Regulated organizations acting as data controllers may be obligated to, among other things, respond to consumer privacy requests, implement reasonable technical and organizational security measures, provide consumers with a notice of privacy practices and a mechanism through which consumers may opt out of data processing.
Key compliance considerations
In light of the complexities highlighted above, organizations should reflect on the following compliance considerations:
- Whether your organization’s corporate policies are compliant with new privacy legislation.
With several new legislative updates, organizational corporate policies, such as privacy policies and privacy notices, may become dated and/or noncompliant with the most recent and looming updates. It is recommended practice for organizations to routinely evaluate their corporate policies to ensure compliance with any updated regulatory requirements and implement changes to the extent necessary.
- Whether your organization is equipped to respond to consumer privacy requests.
Responding to consumer privacy requests may be problematic for organizations operating across multiple states due to variance among consumer privacy rights, related nuances and exceptions. Organizations should evaluate the various privacy rights and exceptions, if any, in states in which they operate and establish a playbook to implement an efficient and effective response.
- Whether your organization is exempt from compliance.
Some privacy laws provide for entity-level and data-level exemptions, subject to certain nuances. An entity-level exemption generally exempts an organization based on the type of entity. For example, some states include an entity-level exemption for not for profit corporations or entities regulated by certain federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA). A data-level exemption exempts certain data that is subject to regulation under certain federal laws, such as HIPAA and the Gramm-Leach-Bliley Act.
In addition, some states have an operational threshold that an organization must meet or exceed to be subject to the relevant act. For example, in Delaware, an organization must (1) do organization in the state or produce products or services that are targeted to Delaware residents, and (2) one of the following must apply: (i) control or process personal data of 35,000 or more consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction or (ii) (a) control or process personal data of 10,000 or more consumer and (b) derive more than 20% of its gross revenue from the sale of personal data.
Organizations should evaluate whether they may be exempt from certain state laws and, if so exempt, how that might impact their corporate policies and go-to-market strategies.
